Un-Install: What happens to each component when PolicyPak gets unlicensed or the GPO or policy no longer applies?

An endpoint can become unlicensed due to a variety of reasons. Examples include:

  1. On-Prem, MDM or Cloud License expires.
  2. Computer moves to unlicensed / never licensed location.
  3. Using PolicyPak cloud, you specifically unlicese a component.
  4. Using PolicyPak cloud, you specifically revoke the CSE.
  5. You hand-uninstall or use SCCM or similar to un-intsall the PolicyPak CSE*
  6. You remove the computer from a licensed domain.*

*Note in these cases: The actual behavior may be somewhat different than what is described here.

An endpoint can have it’s “directives” removed because of a variety of reasons. Examples include:

  1. Deleting / unlinking a GPO.
  2. Removing an XML file placed with SCCM or by hand.
  3. Removing an XML directive from PolicyPak Cloud.
  4. ILT evaluates to FALSE.
  5. WMI evaluates to FALSE.

Different components react somewhat differently when their licenses are removed, the policy which affects them is removed, or when the Client Side Extension is forcefully removed.

In any of those cases, the PolicyPak Client Side Extension component(s) will react to that.

In *GENERAL*… :

  1. What happens when the component is UNLICENSED is that the endpoint simply doesn’t pick up new directives for that component.
  2. What happens when the POLICY IS REMOVED is that the setting will REVERT or be MAINTAINED (depends on the component.)

However you might be interested to understand the unlicensed / revert behavior for each component. Each component is listed here. (Current as of Jan 2018).

Application Settings Manager:

When un-licensed, PolicyPak Application Manager:

  1. Will not honor new PolicyPak Application Manager requests.

When un-licensed or policy revert:

  1. A setting may be set to DO NOTHING AT REVERT (Default), and example shown here.

    what-happens-to-each-component-when-policypak-gets-unlicensed-or-the-gpo-or-policy-no-longer-applies-0

    -or-

  2. If the setting is set to REVERT.. it will do that (Example here.) The value displayed will be performed at REVERT time.

    what-happens-to-each-component-when-policypak-gets-unlicensed-or-the-gpo-or-policy-no-longer-applies-1

    For Win32 apps where AppLock (UI restrictions) are used, like in this example.. the UI becomes unrestricted.

    what-happens-to-each-component-when-policypak-gets-unlicensed-or-the-gpo-or-policy-no-longer-applies-2

    When NTFS / ACL Lockdown is used (see here), the end-user will be free to change these settings inside the (previously restricted) registry.

    what-happens-to-each-component-when-policypak-gets-unlicensed-or-the-gpo-or-policy-no-longer-applies-3

    Note also that some Paks may be set to “System Wide Lockdown” like Java and Firefox like what is seen here. In those cases, all users on the system are free to make changes after the GPO no longer applies.

    what-happens-to-each-component-when-policypak-gets-unlicensed-or-the-gpo-or-policy-no-longer-applies-4

Least Privilege Manager:

When unlicensed:

  1. PPLPM will stop honoring new policies when unlicensed.

Additionally, and/or when the GPO / XML no longer applies:

  1. Applications / MSIs / Scripts etc with elevated tokens will not elevate.
  2. SecureRun(TM) will stop preventing users from self-installing items.

Browser Router:

When PolicyPak Browser Router is uninstalled or becomes un-licensed:

  1. The original default browser (as the user had it set before PolicyPak Browser Router was installed) will be placed back as default.

Additionally, and/or when the GPO / XML no longer applies, any PolicyPak Browser Router “routes” are no longer honored.

More information on PPBR’s unlicensed behavior can be seen at this linkhttps://www.policypak.com/knowledge-base/browser-router-troubleshooting/when-i-unlicense-or-remove-policypak-browser-router-from-scope-policypak-browser-router-agent-still-shows-as-os-default-browser-why-is-that-and-is-there-a-workaround.html

PolicyPak Admin Templates Manager:

When PolicyPak Admin Templates Manager becomes unlicensed PolicyPak Admin Templates Manager will no longer apply new PPATM policies:

  • Within GPOs.
  • XML Based files or
  • Via PolicyPak Cloud.

Additionally, and/or when the GPO / XML no longer applies, policy setting items work and revert exactly like Microsoft’s Admin Templates Policy settings.

So when PolicyPak Admin Templates Manager policy settings no longer apply, they revert back to their “Not Configured” value.

PolicyPak Preferences Manager:

When licensed: PolicyPak Preferences manager becomes the “intermediary” which calls Microsoft’s Group Policy Preferences CSEs. By default, we do not give our PolicyPak Preferences Manager licenses unless specifically requested by the customer (and this must be done each year.)

When PolicyPak Preferences manager becomes unlicensed:

  • In-box Group Policy Preferences is called directly; no more PolicyPak involvement.
  • PolicyPak will not process file-based XML directives
  • PolicyPak will not process PolicyPak Cloud XML directives.

When the GPO no longer applies, or Policy XML no longer applies:

  • PolicyPak will leave the Microsoft GPPrefs item intact / alone on revert when the item’s “Common :: Options” tab is set like this.

    what-happens-to-each-component-when-policypak-gets-unlicensed-or-the-gpo-or-policy-no-longer-applies-5

    what-happens-to-each-component-when-policypak-gets-unlicensed-or-the-gpo-or-policy-no-longer-applies-6

  • Or PolicyPak will delete the Microsoft GPPRefs item when the item’s “Option” tab is set like this.

    what-happens-to-each-component-when-policypak-gets-unlicensed-or-the-gpo-or-policy-no-longer-applies-7

Java Rules Manager:

When PolicyPak Java Rules Manager becomes unlicensed, PPJRM will not honor new PPJRM policies.

Additionally, and/or when the GPO / XML no longer applies PolicyPak will stop existing mappings of websites to Java.

File Associations Manager:

When PolicyPak File Associations Manager becomes unlicensed, PolicyPak File Associations Manager will no longer honor new directives.

Additionally, and/or when the GPO / XML no longer applies:

  1. The system will maintain the last settings placed by PolicyPak File Associations Manager.
  2. The system will permit users to make their own changes going forward.
  3. Other users on the system may make changes such that they will affect other users.

Start Screen & Taskbar Manager:

When PolicyPak Start Screen & Taskbar Manager becomes unlicensed:

  1. PolicyPak Start Screen & Taskbar Manager will not honor new directives.

Additionally, and/or when the GPO / XML no longer applies:

  1. The system will permit users to make their own Start Menu and taskbar changes.
  2. New users with new profiles on the system will get system default Start Menu groups.

Security Settings Manager:

When PolicyPak Security Settings Manager becomes unlicensed:

  1. PPSEC will no longer process directives from PolicyPak Cloud and
  2. PPSEC will no longer process XML based directives.

Additionally, and/or when the GPO / XML no longer applies:

  1. PPSEC items work exactly like Microsoft’s Security Settings Policy settings when the GPO is removed, or the policy is no longer applied or PPSEC becomes unlicensed.
  2. Like built-in Microsoft Security policy settings, when these settings no longer apply, they are maintained; and not reverted back.
  3. Local admins can then make changes to these settings if desired.

Back